Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.

Read More

Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.

Read More

Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

Read More

Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.

Read More

Detects attempts to record audio with arecord utility

Read More

Detects audio capture via PowerShell Cmdlet.

Read More

Detect attacker collecting audio via SoundRecorder application.

Read More

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Read More

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Read More

An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.

Read More

Detects when full data export is attempted.

Read More

Detects when full data export is attempted an unauthorized user.

Read More

Detects user data export activity.

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Collect pertinent data from the configuration files

Read More

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More

Various protocols maybe used to put data on the device for exfil or infil

Read More

Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More

Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.

Read More

Detects possible collection of data from the clipboard via execution of the osascript binary

Read More

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Read More

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Read More

Detects a command used by conti to exfiltrate NTDS

Read More

Detects a copy command or a copy utility execution to or from an Admin share or remote

Read More

Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".

Read More

Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.

Read More

Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.

Read More

One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe

Read More

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

Read More

Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More

Detects delete action in the Github audit logs for codespaces, environment, project and repo.

Read More

Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.

Read More

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More

Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Read More

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Read More

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Read More

Detects instances where a GIT service on an OpenCanary node has had Git Clone request.

Read More

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.

Read More

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.

Read More

Detects instances where a MySQL service on an OpenCanary node has had a login attempt.

Read More

Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.

Read More

Detects instances where an SIP service on an OpenCanary node has had a SIP request.

Read More

Detects instances where an SMB service on an OpenCanary node has had a file open request.

Read More

Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".

Read More

Detects a command used by conti to dump database

Read More

Detects PowerShell scripts that contains reference to keystroke capturing functions

Read More

A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.

Read More

Detects usage of the 'Get-Clipboard' cmdlet via CLI

Read More

Adversaries may log user keystrokes to intercept credentials as the user types them.

Read More

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.

Read More

Potential adversaries accessing the microphone and webcam in an endpoint.

Read More

Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content

Read More

Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.

Read More

In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.

Read More

Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.

Read More

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Read More

Once established within a system or network, an adversary may use automated techniques for collecting internal data

Read More

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

Read More

Detects attempts to use screencapture to collect macOS screenshots

Read More

Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.

Read More

Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.

Read More

Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations

Read More

Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.

Read More

Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.

Read More

Detects known sensitive file extensions accessed on a network share

Read More

Detects known sensitive file extensions via Zeek

Read More

Detects Processes accessing the camera and microphone from suspicious folder

Read More

Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc

Read More

Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.

Read More

Detects dump of credentials in VeeamBackup dbo

Read More

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

Read More

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Read More

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Read More

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Read More

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations

Read More

Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

Read More

Detects a suspicious winrar execution in a folder which is not the default installation folder

Read More

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More

Looking for new rules alone may generate too many false positives, so adding another check for commonly abused folders, suspicious criteria, and odd names will help filter out benign activity. RedCanary suggests looking for new inbox rules that move or copy emails to the following folders. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects the creation of email forwarding rules with suspicious strings indicating forwarding criteria meant to steal sensitive information. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects the creation of email forwarding rules with suspicious names. Part of the RedCanary 2024 Threat Detection Report.

Read More